IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt

Matthijs Mekking <matthijs@pletterpet.nl> Tue, 26 October 2021 08:10 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C9F03A1266 for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 01:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.247
X-Spam-Level:
X-Spam-Status: No, score=-5.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-3.33, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPO2kCVVZShW for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 01:10:37 -0700 (PDT)
Received: from lb3-smtp-cloud8.xs4all.net (lb3-smtp-cloud8.xs4all.net [194.109.24.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 673193A1265 for <dnsop@ietf.org>; Tue, 26 Oct 2021 01:10:36 -0700 (PDT)
Received: from cust-69fe625f ([IPv6:fc0c:c103:c4a6:cf3c:d2f9:56fe:3f93:cb0b]) by smtp-cloud8.xs4all.net with ESMTPSA id fHXRmKhJmFfMifHXUmVtgV; Tue, 26 Oct 2021 10:10:32 +0200
To: dnsop@ietf.org
References: <161953482575.7668.10479553059119648994@ietfa.amsl.com> <f9f4dcfc-3bc4-3859-7aab-568c3f5d0a29@nic.cz> <367EA8BC-BD5E-4363-A3FC-D5F3AF41305E@dnss.ec>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <ee4417ee-9531-df83-96a5-0a55dd397755@pletterpet.nl>
Date: Tue, 26 Oct 2021 10:10:29 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <367EA8BC-BD5E-4363-A3FC-D5F3AF41305E@dnss.ec>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4xfG0MOmiyHF/5TRABN40adp4d4XaRzR+2uKCXUArBmsjeJEMwsuhwTEiO2Dlc6F9r5eOPzuOSLITtlXw0S39BzslylwuTzBOORFa676sQ0k3m0fuwC2/V WvVdNhlnomOyfXt0sagtdts+CHZJkY1d2kDIeNfCpQInG4c0CXnXW6QuhNkcwlSDZw7CtsAzvtz72dYoSNOkKJlQhroj6UTX4sQrvuDPvmpXfAPc917IrP38 XS3LaKv393u6vd0ebTy0tJKouc4eEudzSKnVGyE9zWP9YMJEbfomzAlw7skT5gRX
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hpiDx0Gm3xE6zw_3gyF2fGWjf-A>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 08:10:42 -0000

Hi,

On 26-10-2021 01:56, Roy Arends wrote:
> 
>> On 20 Oct 2021, at 14:14, libor.peltan <libor.peltan@nic.cz>
>> wrote:
>> 
>> Hi all,
>> 
>> although for me, as an implementer of an auth server, it's not too
>> important, I'd like to ask for clarification regarding the foreseen
>> reporting domain(s) setup in the (usual) case of many secondary
>> auth servers.
>> 
>> The draft says: "Each authoritative server SHOULD be configured
>> with a unique reporting agent domain."
>> 
>> I see two possible error situations:
>> 
>> 1) the zone itself is wrongly signed, so all secondaries share the
>> same error 2) some of the secondaries respond wrongly from
>> correctly signed zone, so the error is slave-specific
>> 
>> IMHO the case (2) is far less common. And the case (1) doesn't
>> require per-secondary reporting domain, just per-zone.
>> 
>> Is it really recommended (in capitals) that the zone operator
>> prepares extra reporting domain for each secondary around the world
>> (it can be hundreds)?

If you have outsourced your secondaries to a company that has hundreds 
of secondaries I guess you can also set up a reporting agent domain like 
"company1.reporting-agent.example". and 
"company2.reporting-agent.example". It won't tell you exactly which 
server caused the problem, but at least it gives you some idea without 
having to set up hundreds of domains.

But I am also not convinced that the recommendation needs to be in capitals.


> The domain owner may have contracts with more than one operator. The
> operator may operate many authoritative servers, which not all serve
> the same set of zones.
> 
> If the reporting agent domain is unique, the erroneous server can be
> pinpointed faster. If all auth servers for a domain have the same
> reporting agent domain, the reporting agent knows there is an error,
> just doesn’t know where.
> 
>> If so, it can cause a disclosure about which secondary the answer
>> is comming from, dunno if some zone operators are not willing to
>> conceal this.
> 
> In that case, the zone operator doesn’t have to deploy EDE reporting,
> right?

The zone operator may still be interested in knowing about resolving 
issues. And DNS error reporting would still work if you have just a 
single reporting agent domain.


Matthijs



> Roy
> 
>> 
>> Thanks!
>> 
>> Libor
>> 
>> Dne 27. 04. 21 v 16:47 internet-drafts@ietf.org napsal(a):
>>> A New Internet-Draft is available from the on-line
>>> Internet-Drafts directories. This draft is a work item of the
>>> Domain Name System Operations WG of the IETF.
>>> 
>>> Title           : DNS Error Reporting Authors         : Roy
>>> Arends Matt Larson Filename        :
>>> draft-ietf-dnsop-dns-error-reporting-00.txt Pages           : 12 
>>> Date            : 2021-04-27
>>> 
>>> Abstract: DNS Error Reporting is a lightweight error reporting
>>> mechanism that provides the operator of an authoritative server
>>> with reports on DNS resource records that fail to resolve or
>>> validate, that a Domain Owner or DNS Hosting organization can use
>>> to improve domain hosting. The reports are based on Extended DNS
>>> Errors [RFC8914].
>>> 
>>> When a domain name fails to resolve or validate due to a 
>>> misconfiguration or an attack, the operator of the authoritative 
>>> server may be unaware of this.  To mitigate this lack of
>>> feedback, this document describes a method for a validating
>>> recursive resolver to automatically signal an error to an agent
>>> specified by the authoritative server.  DNS Error Reporting uses
>>> the DNS to report errors.
>>> 
>>> 
>>> The IETF datatracker status page for this draft is: 
>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/
>>>
>>>
>>> 
There are also htmlized versions available at:
>>> https://tools.ietf.org/html/draft-ietf-dnsop-dns-error-reporting-00
>>>
>>> 
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting-00
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of
>>> submission until the htmlized version and diff are available at
>>> tools.ietf.org.
>>> 
>>> Internet-Drafts are also available by anonymous FTP at: 
>>> ftp://ftp.ietf.org/internet-drafts/
>>> 
>>> 
>>> _______________________________________________ DNSOP mailing
>>> list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
>> 
>> _______________________________________________ DNSOP mailing list 
>> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________ DNSOP mailing list 
> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email